Mailing List Archive: SpamAssassin: users

DHL From Russia

Index | Next | Previous | View Threaded

robob at robob

Aug 8, 2013, 1:21 PM

Post #1 of 8 (39 views)
Permalink

DHL From Russia

Hello Folks,

First of all, I appreciate the fact that a quality tool like
SpamAssassin has an opensource version. Only costs time. Furthermore, I
appreciate all the hard work the devs put into making it better.

But really, shouldn't the latest version with sa-update run a few days
ago, be able to block DHL package spam from Russia? How long has that
been going on? A decade?

Now back to our regularly scheduled program.

Y'all be cool,
Robert A. Ober

me at junc

Aug 8, 2013, 3:12 PM

Post #2 of 8 (38 views)
Permalink

Re: DHL From Russia [In reply to]

Robert A. Ober skrev den 2013-08-08 22:21:
> Hello Folks,

who?

> First of all, I appreciate the fact that a quality tool like
> SpamAssassin has an opensource version. Only costs time. Furthermore,
> I appreciate all the hard work the devs put into making it better.

opensource means you can make patches aand suggest new rules to detect
not detected spam, but time does not permit it ?

> But really, shouldn't the latest version with sa-update run a few
> days ago, be able to block DHL package spam from Russia? How long has
> that been going on? A decade?

show sample on pastebin, dont be stupid

last but not least dont post html on maillists

thomas-lists at nybeta

Aug 9, 2013, 6:16 AM

Post #3 of 8 (33 views)
Permalink

Re: DHL From Russia [In reply to]

On 8/8/2013 6:12 PM, Benny Pedersen wrote:
>
> show sample on pastebin
>

We see a few of these each week, not sure if they are from Russia:

http://pastebin.com/iBmELtSh
http://pastebin.com/qpxhkJbB

Sometimes they score high enough to flag as spam, other times they are
just below the threshold.

I've debated writing a local rule to flag them as spam if the from
address does not match what DHL uses, except I have no good samples from
DHL.

me at junc

Aug 9, 2013, 7:05 AM

Post #4 of 8 (33 views)
Permalink

Re: DHL From Russia [In reply to]

Thomas Harold skrev den 2013-08-09 15:16:

> We see a few of these each week, not sure if they are from Russia:
>
> http://pastebin.com/iBmELtSh

Content analysis details: (8.9 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[31.24.139.73 listed in
bb.barracudacentral.org]
0.1 RELAY_IT Relayed through IT
3.3 URIBL_BLACK Contains an URL listed in the URIBL
blacklist
[URIs: slppoa.org]
0.5 SPF_NONE SPF: sender does not publish an SPF Record
0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail
domains are different
0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
0.1 STARS_ON_FORTY_SIX URI: contains 6 chars url at end
0.0 HTML_MESSAGE BODY: HTML included in message
0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN &&
!__HTML_TITLE_END &&
HTML_MESSAGE
1.3 RDNS_NONE Delivered to internal network by a host
with no rDNS
0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
1.3 SAGREY Adds score to spam from first-time senders

> http://pastebin.com/qpxhkJbB

Content analysis details: (8.9 points, 5.0 required)

pts rule name description
---- ----------------------
--------------------------------------------------
1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[62.109.30.143 listed in
bb.barracudacentral.org]
1.5 RELAY_RU Relayed through RU
-0.0 SPF_PASS SPF: sender matches SPF record
2.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail
domains are different
0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
0.0 HTML_MESSAGE BODY: HTML included in message
0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN &&
!__HTML_TITLE_END &&
HTML_MESSAGE
1.3 RDNS_NONE Delivered to internal network by a host
with no rDNS
0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
1.3 SAGREY Adds score to spam from first-time senders

> Sometimes they score high enough to flag as spam, other times they
> are just below the threshold.

last one was over

> I've debated writing a local rule to flag them as spam if the from
> address does not match what DHL uses, except I have no good samples
> from DHL.

could be a start, but none example showed forged senders here

neil at cauce

Aug 9, 2013, 7:16 AM

Post #5 of 8 (33 views)
Permalink

Re: DHL From Russia [In reply to]

On Aug 9, 2013, at 6:16 AM, Thomas Harold <thomas-lists [at] nybeta> wrote:

> We see a few of these each week, not sure if they are from Russia:
>
> http://pastebin.com/iBmELtSh

Not really that difficult to block.

31.24.139.73

Senderscore of '3'(out of 100)
https://senderscore.org/lookup.php?lookup=31.24.139.73&ipLookup=Go

Email Reputation Poor
http://www.senderbase.org/lookup?search_string=31.24.139.73

uhlar at fantomas

Aug 9, 2013, 7:42 AM

Post #6 of 8 (33 views)
Permalink

Re: DHL From Russia [In reply to]

>Thomas Harold skrev den 2013-08-09 15:16:
>>We see a few of these each week, not sure if they are from Russia:
>>http://pastebin.com/iBmELtSh

On 09.08.13 16:05, Benny Pedersen wrote:
> 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
> [31.24.139.73 listed in bb.barracudacentral.org]
> 0.1 RELAY_IT Relayed through IT
> 3.3 URIBL_BLACK Contains an URL listed in the URIBL blacklist
> [URIs: slppoa.org]
> 0.5 SPF_NONE SPF: sender does not publish an SPF Record
> 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
> domains are different
> 0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
> 0.1 STARS_ON_FORTY_SIX URI: contains 6 chars url at end
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN && !__HTML_TITLE_END &&
> HTML_MESSAGE
> 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
> 0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
> 1.3 SAGREY Adds score to spam from first-time senders

>>http://pastebin.com/qpxhkJbB

> 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
> [62.109.30.143 listed in bb.barracudacentral.org]
> 1.5 RELAY_RU Relayed through RU
>-0.0 SPF_PASS SPF: sender matches SPF record
> 2.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
> 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
> domains are different
> 0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN && !__HTML_TITLE_END &&
> HTML_MESSAGE
> 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
> 0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
> 1.3 SAGREY Adds score to spam from first-time senders

unfortunately RELAY_IT, RELAY_RU STARS_ON_FORTY_FOOR, STARS_ON_FORTY_SIX and
SAGREY are not stock rules. the RCVD_IN_BRBL_LASTEXT and URIBL_BLACK may
not apply for early recipients.

you also seem have modified scoresd for URIBL_BLACK, at least what I have
locally:

50_scores.cf:score URIBL_BLACK 0 1.775 0 1.725 # n=0 n=2

... and I have quite actual scores:
-rw-r--r-- 1 debian-spamd debian-spamd 44575 Aug 9 02:23 50_scores.cf

just noticing...
--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

mysqlstudent at gmail

Aug 9, 2013, 8:27 AM

Post #7 of 8 (32 views)
Permalink

Re: DHL From Russia [In reply to]

Hi,

>> 1.6 RCVD_IN_BRBL_LASTEXT RBL: No description available.
>> [62.109.30.143 listed in
>> bb.barracudacentral.org]
>> 1.5 RELAY_RU Relayed through RU
>> -0.0 SPF_PASS SPF: sender matches SPF record
>> 2.4 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
>> 0.0 T_HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
>> domains are different
>> 0.1 STARS_ON_FORTY_FOOR URI: contains 4 chars url at end
>> 0.0 HTML_MESSAGE BODY: HTML included in message
>> 0.5 HTML_TITLE_MISSING Meta: !__HTML_TITLE_BEGIN && !__HTML_TITLE_END
>> &&
>> HTML_MESSAGE
>> 1.3 RDNS_NONE Delivered to internal network by a host with no
>> rDNS
>> 0.1 HTML_DOCTYPE_MISSING Meta: !__DOCTYPE_ALL && HTML_MESSAGE
>> 1.3 SAGREY Adds score to spam from first-time senders
>
> unfortunately RELAY_IT, RELAY_RU STARS_ON_FORTY_FOOR, STARS_ON_FORTY_SIX and
> SAGREY are not stock rules. the RCVD_IN_BRBL_LASTEXT and URIBL_BLACK may
> not apply for early recipients.
> you also seem have modified scoresd for URIBL_BLACK, at least what I have
> locally:
>
> 50_scores.cf:score URIBL_BLACK 0 1.775 0 1.725 # n=0 n=2
>
> ... and I have quite actual scores:
> -rw-r--r-- 1 debian-spamd debian-spamd 44575 Aug 9 02:23 50_scores.cf
>
> just noticing...

... and no BAYES?

These looks like the types of messages where either a specific body
pattern would be necessary, or block the IP with postfix.

Regards,
Alex

me at junc

Aug 9, 2013, 8:44 AM

Post #8 of 8 (32 views)
Permalink

Re: DHL From Russia [In reply to]

Alex skrev den 2013-08-09 17:27:

> ... and no BAYES?

yep no bayes, privacy concern

> These looks like the types of messages where either a specific body
> pattern would be necessary, or block the IP with postfix.

well ip is not content

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads